It was pretty much inevitable that some malware group would use Halloween as a vehicle to infect even more users. Malware has a long history of exploiting this particular holiday for its social engineering tricks, all the way back to 1991 when the Halloween Virus showed up. That particular file infector was triggered every Halloween and was so named because it contained the string “Happy Halloween”. This was a proper old style virus well before the days of phishing, credit card fraud, spam, rootkits etc - it just spread.

Needless to say the Storm network has morphed once more, not wanting to be left out during the Halloween festivities.

The site goes under the title of “Dancing Skeleton” and the executable this time is called “Halloween.exe”. The site features quite an entertaining Dancing Skeleton game (complete with some good old festive exploits for good measure).

As if that was not bad enough, the Russian Business Network has shown that there is truely no limit to their depravity, as they resurrected none other than Vengaboys’ “Boom boom boom boom” as background music to the said site. The file can be downloaded from http://www.{BLOCKED}woogiedancingbones.com/amore.mid

Obviously avoid visiting this site completely and ensure that your AV products are up to date.

Happppyyyyy Halllooowweeen!!!

A nifty little program that Trend Micro detects as TROJ_CAPTCHAR.A disguises itself as a strip-tease game, wherein a scantily clad “Melissa” agrees to take off a little bit of her clothing. However, for her to strut her stuff, users must identify the letters hidden within a CAPTCHA. Input the letters correctly, press “go,” and “Melissa” reveals more of herself.

Screenshots below:

However, the “answers” are then sent to a remote server, where a malicious user eagerly awaits them. The strip-tease game is actually a ploy by ingenious malware authors to identify and match ambiguous CAPTCHA images from legitimate sites, using the unsuspecting user as the decoder of the said image.

Interesting enough, the CAPTCHAs in the example above were taken from the Yahoo! Web site, possible proof that someone may be building a huge base of Yahoo! accounts. For spam-related reasons perhaps? Although various methods of OCR (Optical Character Recognition) are already used to circumvent the CAPTCHA, this social engineering technique is new in that it uses people to unsuspectingly aid a malicious user.

The CAPTCHA, short for Completely Automated Public Turing test to tell Computers and Humans Apart, was born when bots started spreading over the Internet scene a few years ago. The system was aimed at preventing automated submissions/registrations of bots by prompting the user to validate himself as a human, usually requiring the user to input a sequence of alphanumeric characters contained in an image supposedly “unreadable” by a machine.

However, some people are really hooked up on defeating the CAPTCHA, and they are literally asking for public help, in a rather discreet—and, um, provocative—manner.

A list of IT-related online magazines (e-zines) belonging to one online publishing group were found to be hosting malicious IFRAMEs. Security Researcher Dancho Danchev shared this discovery with the rest of the security community. Some of the e-zines hosting malicious IFRAMEs are:

• webweekmag.com - Web Week Magazine
• itweekmagazine.com - IT Week Magazine
• technologyweekmag.com - Technology Week Magazine
• theinternetstandardmag.com - The Internet Standard
• securitystandardmag.com - Security Standard

Danchev notes that there are a total of 24 e-zines, all of which are owned by Possibility Media, that have malicious IFRAMEs embedded in them. Trend Micro threat analyst Jonell Baltazar checked some of the e-zines’ URLs and was able to obtain different binary files that are detected by Trend Micro products as PAK_GENERIC and POSSIBLE_STRAT-6. Other files are now under analysis.

Even Google (via StopBadware.org) tags Possibility Media’s Web site as harmful:

An infections graph released by the Trend Micro Threat Analytics shows that the growth in severe malware infections grew 200% throughout 2007. See below.

Severe malware place user data and credibility at risk by damaging possibly critical user and system data (which may render the system unusable or lead to irreparable data loss), compromising user systems, or using complex rootkit techniques allowing the malware to become virtually untraceable. This trend also shows us the increasing importance of keeping anti-malware scan engines as up-to-date as possible.

Thanks to Anthony Arrott and Paul Ferguson for the analysis and preparation of this material.

The world is not wanting in conflicts, either on the ground or online. A Web war is at present raging between Sweden and Turkey, said to be precipitated by another caricature of Islam’s Prophet Muhammad.

More than 5,000 Swedish Web sites have been defaced by Turkish hackers since early October, according to the International Herald Tribune. Files were removed from the sites, which are mostly related to hotels, while some were replaced by messages posted by the hackers.

Here’s a screenshot of a hacked Swedish site:

And a screenshot of another Web page that may be related to the group that defaced the Swedish sites:

Although the link is not clearly established, the said defacement is believed to come in the wake of the publication of an editorial “moodog” cartoon, which showed the holy prophet’s head attached to a dog’s body. Indeed, some of the sites saw messages saying that the prophet had been violated. The said drawing was done by Lars Vilks and published in the Swedish newspaper Nerikes Allehanda on August 19. Vilks has since received a sizeable bounty on his head from an Iraqi insurgent leader.

Sweden’s own hackers retaliated by putting up pornographic images in which the prophet and Mustafa Kemal Ataturk, founder and first President of the Turkish Republic, appear. The said images came out in a Turkish discussion forum whose members allegedly hacked the Swedish sites. Moreover, the Swedes stole the members’ user names, passwords, and homepages, along with their Hotmail and MSN instant messenger accounts. They also spammed out ugly, damaging messages to the Turkish account owners’ contacts.

Trend Micro Senior Threat Researcher Ivan Macalintal cites inside accounts in saying that “this incident did not involve any of the usual malware activity that we usually find in Web threats. This was (more) like a socio-political and religious Web warfare between hacker groups in Turkey and Sweden.”

It can be recalled that in 2005, a similar uproar was heard throughout the globe, caused by another of the prophet’s caricatures published in a Danish newspaper. This time around, the Web was the go-to platform for the Muslim protests, which were aired via hacking that was only met with more sophisticated hacking—a case of fighting fire with fire. It proves nothing but that the innocent—online users or not—always get caught in the crossfire.